Transport and Application Protocol Scrubbing

This paper describes the design and implementation of a protocol scrubber, a transparent interposition mechanism for explicitly removing network attacks at both the transport and application protocol layers. The transport scrubber supports downstream passive network-based intrusion detection systems; whereas the application scrubbing mechanism supports transparent fail-closed active network-based intrusion detection systems. The transport scrubber’s role is to convert ambiguous network flows into well-behaved flows that are unequivocally interpreted by all downstream endpoints. As an example, this paper presents the implementation of a TCP/IP scrubber that eliminates insertion and evasion attacks – attacks that use ambiguities to subvert detection – on passive network-based intrusion detection systems, while preserving high performance. The application protocol scrubbing mechanism is used as a substrate for building fail-closed active network-based intrusion detections systems that can respond to attacks by eliding or modifying application data flows in real-time. This paper presents the high-performance implementation of a general purpose transparent application-level scrubbing toolkit in the FreeBSD kernel.